Securing Access to Hadoop Cluster: Apache Knox

The Apache Knox Gateway (“Knox”) is a system to extend the reach of Apache™ Hadoop®
services to users outside of a Hadoop cluster without reducing Hadoop Security. Knox also
simplifies Hadoop security for users who access the cluster data and execute jobs. The Knox
Gateway is designed as a reverse proxy.

Establishing user identity with strong authentication is the basis for secure access in
Hadoop. Users need to reliably identify themselves and then have that identity
propagated throughout the Hadoop cluster to access cluster resources.

Layers of Defense for a Hadoop Cluster

Authentication: Kerberos

Hortonworks uses Kerberos for authentication. Kerberos is an industry
standard used to authenticate users and resources within a Hadoop cluster.
HDP also includes Ambari, which simplifies Kerberos setup, configuration,
and maintenance.

Perimeter Level Security: Apache Knox

Apache Knox Gateway is used to help ensure perimeter security for Hortonworks
customers. With Knox, enterprises can confidently extend the Hadoop REST API
to new users without Kerberos complexities, while also maintaining
compliance with enterprise security policies. Knox provides a central
gateway for Hadoop REST APIs that have varying degrees of authorization,
authentication, SSL, and SSO capabilities to enable a single access point
for Hadoop.